diff options
author | Linux Build Service Account <lnxbuild@localhost> | 2016-10-10 09:24:35 -0600 |
---|---|---|
committer | Linux Build Service Account <lnxbuild@localhost> | 2016-10-10 09:24:35 -0600 |
commit | 33634b612a6bede11b0d7d0d0f81328e3352e5d6 (patch) | |
tree | 8c16748d02cb6f682602044d512b6d392b8c2614 | |
parent | 7db37e89a8be9b528142fb30b68ff1fe71a66367 (diff) | |
parent | d22eecffecc4bc284dd053b01181c854e3a0df2a (diff) | |
download | android_device_qcom_sepolicy-33634b612a6bede11b0d7d0d0f81328e3352e5d6.tar.gz android_device_qcom_sepolicy-33634b612a6bede11b0d7d0d0f81328e3352e5d6.tar.bz2 android_device_qcom_sepolicy-33634b612a6bede11b0d7d0d0f81328e3352e5d6.zip |
Merge d22eecffecc4bc284dd053b01181c854e3a0df2a on remote branch
Change-Id: Icfd788c2bb5484128ab08a7eb16a807e53794636
-rw-r--r-- | common/device.te | 3 | ||||
-rw-r--r-- | common/file.te | 3 | ||||
-rw-r--r-- | common/file_contexts | 1 | ||||
-rw-r--r-- | common/init.te | 4 | ||||
-rw-r--r-- | common/init_shell.te | 6 | ||||
-rw-r--r-- | common/location.te | 6 | ||||
-rwxr-xr-x | common/mmi.te | 3 | ||||
-rw-r--r-- | common/platform_app.te | 2 | ||||
-rwxr-xr-x | common/property_contexts | 3 | ||||
-rw-r--r-- | common/qcomsysd.te | 1 | ||||
-rw-r--r-- | common/rfs_access.te | 4 | ||||
-rw-r--r-- | common/rmt_storage.te | 4 | ||||
-rw-r--r-- | common/system_app.te | 1 | ||||
-rw-r--r-- | common/untrusted_app.te | 1 | ||||
-rwxr-xr-x | common/vold.te | 5 | ||||
-rw-r--r-- | msm8952/mediaserver.te | 3 | ||||
-rw-r--r-- | msm8952/property.te | 2 | ||||
-rw-r--r-- | msm8996/file_contexts | 2 | ||||
-rw-r--r-- | msmcobalt/file_contexts | 7 | ||||
-rw-r--r-- | msmcobalt/qvop.te | 4 |
20 files changed, 52 insertions, 13 deletions
diff --git a/common/device.te b/common/device.te index f1997642..362be377 100644 --- a/common/device.te +++ b/common/device.te @@ -69,9 +69,6 @@ type efs_boot_dev, dev_type; #MBA debug image partition type mba_debug_dev, dev_type; -#Misc partition -type misc_partition, dev_type; - #logdump partition type logdump_partition, dev_type; diff --git a/common/file.te b/common/file.te index 29d6a721..2d31a6d4 100644 --- a/common/file.te +++ b/common/file.te @@ -203,3 +203,6 @@ type wififtmd_socket, file_type; type persist_alarm_file, file_type; type persist_time_file, file_type; + +# kgsl file type for sysfs access +type sysfs_kgsl, sysfs_type, fs_type; diff --git a/common/file_contexts b/common/file_contexts index d27f2981..54d1c0e4 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -351,6 +351,7 @@ /persist/drm(/.*)? u:object_r:persist_drm_file:s0 /persist/sensors(/.*)? u:object_r:sensors_persist_file:s0 /persist/alarm(/.*)? u:object_r:persist_alarm_file:s0 +/persist/time(/.*)? u:object_r:persist_time_file:s0 /persist/data(/.*)? u:object_r:persist_drm_file:s0 /persist/data/tz(/.*)? u:object_r:persist_drm_file:s0 /persist/data/sfs(/.*)? u:object_r:persist_drm_file:s0 diff --git a/common/init.te b/common/init.te index 02d804cd..6cde24b0 100644 --- a/common/init.te +++ b/common/init.te @@ -27,3 +27,7 @@ allow init { domain -lmkd }:process noatsecure; allow init configfs:dir r_dir_perms; allow init configfs:file { rw_file_perms link }; allow init configfs:lnk_file create_file_perms; + +#Allow init to mount non-hlos partitions in A/B builds +allow init firmware_file:dir { mounton }; +allow init bt_firmware_file:dir { mounton }; diff --git a/common/init_shell.te b/common/init_shell.te index bc88f3b1..487caf05 100644 --- a/common/init_shell.te +++ b/common/init_shell.te @@ -116,7 +116,8 @@ allow qti_init_shell { r_dir_file(qti_init_shell, sysfs_thermal) allow qti_init_shell sysfs_socinfo:file write; - +allow qti_init_shell sysfs:{ dir file lnk_file } relabelfrom; +allow qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto; # Check if /dev/sensors or /dev/msm_dsps present allow qti_init_shell sensors_data_file:dir r_dir_perms; allow qti_init_shell sensors_device:chr_file r_file_perms; @@ -188,3 +189,6 @@ allow qti_init_shell persist_alarm_file:file r_file_perms; #Allow /sys access to write zram disksize allow qti_init_shell sysfs_zram:dir r_dir_perms; allow qti_init_shell sysfs_zram:file w_file_perms; + +# To get GPU frequencies +allow qti_init_shell sysfs_kgsl:file r_file_perms; diff --git a/common/location.te b/common/location.te index 393bae60..a72adc11 100644 --- a/common/location.te +++ b/common/location.te @@ -41,7 +41,11 @@ allow location sensors_persist_file:dir r_dir_perms; allow location sensors_persist_file:file r_file_perms; #wifi -allow location wifi_data_file:dir r_dir_perms; +userdebug_or_eng(` +allow location wifi_data_file:dir create_dir_perms; +allow location wifi_data_file:sock_file create_file_perms; +allow location su:unix_dgram_socket sendto; +') unix_socket_send(wpa, location, location) allow location wpa:unix_dgram_socket sendto; allow location wpa_socket:dir rw_dir_perms; diff --git a/common/mmi.te b/common/mmi.te index 56b2be94..92e1ebcd 100755 --- a/common/mmi.te +++ b/common/mmi.te @@ -36,9 +36,6 @@ allow mmi persist_file:dir r_dir_perms; allow mmi sensors_persist_file:dir create_dir_perms; allow mmi sensors_persist_file:file create_file_perms; -#allow mmi operation on MISC partition -allow mmi misc_partition:blk_file w_file_perms; - #wifi case allow mmi system_file:file x_file_perms; allow mmi wpa_exec:file rx_file_perms; diff --git a/common/platform_app.te b/common/platform_app.te index bc558e90..0dd94ddc 100644 --- a/common/platform_app.te +++ b/common/platform_app.te @@ -10,7 +10,7 @@ binder_call(platform_app, secotad) # Allow platform apps to interact with imscm daemon binder_call(platform_app, imscm) - +allow platform_app imscm_service:service_manager find; allow platform_app color_service:service_manager find; # Allow NFC service to be found diff --git a/common/property_contexts b/common/property_contexts index ea5bbda5..bb4720d9 100755 --- a/common/property_contexts +++ b/common/property_contexts @@ -46,6 +46,7 @@ ctl.ipacm-diag u:object_r:ipacm-diag_prop:s0 ctl.qti u:object_r:qti_prop:s0 ctl.sensors u:object_r:sensors_prop:s0 ctl.msm_irqbalance u:object_r:msm_irqbalance_prop:s0 +ctl.msm_irqbal_lb u:object_r:msm_irqbalance_prop:s0 camera. u:object_r:camera_prop:s0 persist.camera. u:object_r:camera_prop:s0 spcomlib. u:object_r:spcomlib_prop:s0 @@ -84,3 +85,5 @@ ro.hwui.texture_cache_size u:object_r:hwui_prop:s0 persist.graphics.vulkan.disable u:object_r:graphics_vulkan_prop:s0 #boot mode property sys.boot_mode u:object_r:boot_mode_prop:s0 +# GPU +ro.gpu.available_frequencies u:object_r:freq_prop:s0 diff --git a/common/qcomsysd.te b/common/qcomsysd.te index 2dbd2cbc..c1257cb8 100644 --- a/common/qcomsysd.te +++ b/common/qcomsysd.te @@ -10,7 +10,6 @@ allow qcomsysd smem_log_device:chr_file rw_file_perms; #Needed to read/write cookies to the misc partition allow qcomsysd block_device:dir r_dir_perms; allow qcomsysd { - misc_partition #Needed to access the bootselect partition bootselect_device }:blk_file rw_file_perms; diff --git a/common/rfs_access.te b/common/rfs_access.te index 69c14e65..318fffc1 100644 --- a/common/rfs_access.te +++ b/common/rfs_access.te @@ -53,6 +53,7 @@ allow rfs_access self:capability { setuid setgid setpcap + net_bind_service net_raw }; @@ -62,6 +63,9 @@ allow rfs_access self:capability { allow rfs_access self:capability { dac_read_search chown dac_override }; +#For access to the kmsg device +allow rfs_access kmsg_device:chr_file w_file_perms; + #Prevent other domains from accessing RFS data files. neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms; neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms; diff --git a/common/rmt_storage.te b/common/rmt_storage.te index 6b43ae07..f043becc 100644 --- a/common/rmt_storage.te +++ b/common/rmt_storage.te @@ -18,6 +18,7 @@ allow rmt_storage self:capability { setgid sys_admin dac_override + net_bind_service net_raw setpcap }; @@ -32,6 +33,9 @@ wakelock_use(rmt_storage) allow rmt_storage self:socket create_socket_perms; allow rmt_storage uio_device:chr_file rw_file_perms; +#For access to the kmsg device +allow rmt_storage kmsg_device:chr_file w_file_perms; + #debugfs access userdebug_or_eng(` typeattribute rmt_storage qti_debugfs_domain; diff --git a/common/system_app.te b/common/system_app.te index 255e5664..01d999af 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -100,6 +100,7 @@ binder_call(system_app, secotad) # allow system_app to interact with imscm daemon binder_call(system_app, imscm) +allow system_app imscm_service:service_manager find; # access to seemp folder allow system_app seemp_file:dir r_dir_perms; diff --git a/common/untrusted_app.te b/common/untrusted_app.te index c2b75d54..8f6d10b7 100644 --- a/common/untrusted_app.te +++ b/common/untrusted_app.te @@ -9,6 +9,7 @@ neverallow untrusted_app diag_device:chr_file rw_file_perms; # using binder call userdebug_or_eng(` binder_call(untrusted_app, imscm) + allow untrusted_app imscm_service:service_manager find; ') # for finding wbc_service diff --git a/common/vold.te b/common/vold.te index 08476cf3..48411ebf 100755 --- a/common/vold.te +++ b/common/vold.te @@ -2,6 +2,11 @@ allow vold tee_device:chr_file rw_file_perms; allow vold self:capability sys_boot; allow vold cache_file:dir w_dir_perms; allow vold { fscklogs cache_file }:file create_file_perms; + +# Read and write /cache/recovery/command +allow vold cache_recovery_file:dir rw_dir_perms; +allow vold cache_recovery_file:file create_file_perms; + allow vold { proc_sysrq proc_dirty_ratio }:file rw_file_perms; wakelock_use(vold) allow vold swap_block_device:blk_file r_file_perms; diff --git a/msm8952/mediaserver.te b/msm8952/mediaserver.te index 0f88a051..5bd54323 100644 --- a/msm8952/mediaserver.te +++ b/msm8952/mediaserver.te @@ -27,3 +27,6 @@ # allow mediaserver to access media.msm8956hw allow mediaserver media_msm8956hw_prop:file r_file_perms; +allow mediaserver media_settings_xml_prop:file r_file_perms; +allow mediaserver seempd:unix_dgram_socket sendto; +allow mediaserver seempdw_socket:sock_file write; diff --git a/msm8952/property.te b/msm8952/property.te index 9b93f862..2cfa17e8 100644 --- a/msm8952/property.te +++ b/msm8952/property.te @@ -27,5 +27,5 @@ #properites for init.qcom.sh script type media_msm8956hw_prop, property_type; -type media_settings_xml_prop, property_type; +type media_settings_xml_prop, property_type, core_property_type; type media_msm8956_version_prop, property_type; diff --git a/msm8996/file_contexts b/msm8996/file_contexts index 02618e09..6c3e83bd 100644 --- a/msm8996/file_contexts +++ b/msm8996/file_contexts @@ -96,6 +96,8 @@ # /sys/devices/virtual/graphics/fb([0-2])+/lineptr_value u:object_r:sysfs_graphics:s0 +/sys/devices/soc/b00000.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_available_frequencies u:object_r:sysfs_kgsl:s0 + ################################### # data files # diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts index 0a29e092..46ad29a2 100644 --- a/msmcobalt/file_contexts +++ b/msmcobalt/file_contexts @@ -37,7 +37,7 @@ /dev/block/platform/soc/1da4000.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/ssd u:object_r:ssd_device:s0 -/dev/block/platform/soc/1da4000.ufshc/by-name/misc u:object_r:misc_partition:s0 +/dev/block/platform/soc/1da4000.ufshc/by-name/misc u:object_r:misc_block_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/rpm u:object_r:rpmb_device:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/msadp u:object_r:mba_debug_dev:s0 /dev/block/platform/soc/1da4000.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 @@ -55,3 +55,8 @@ # data files # /data/misc/qvop(/.*)? u:object_r:qvop_data_file:s0 + +################################## +# non-hlos mount points +/firmware u:object_r:firmware_file:s0 +/bt_firmware u:object_r:bt_firmware_file:s0 diff --git a/msmcobalt/qvop.te b/msmcobalt/qvop.te index 47b61b31..ce69fa4d 100644 --- a/msmcobalt/qvop.te +++ b/msmcobalt/qvop.te @@ -41,4 +41,6 @@ allow qvop iqvop_service:service_manager add; binder_use(qvop) allow qvop tee_device:chr_file rw_file_perms; -r_dir_file(qvop, firmware_file)
\ No newline at end of file +r_dir_file(qvop, firmware_file) + +allow qvop ion_device:chr_file r_file_perms;
\ No newline at end of file |